Hackers Use Subtitle Files to Take Over PCs

Posted onMay 26, 2017

Hackers are adept at finding clever new ways to infect computers with malware. Just when you think you’ve seen it all, they come up with something new to bypass both antivirus software and your own common sense. Security firm Check Point reports a new breed of malware is spreading in fake movie subtitles. You think you’re loading a subtitle, but what you’re actually doing is giving a hacker full access to your computer.

It’s common to see subtitle files (usually a .srt or .sub) included in torrents and other less-than-legal movie downloads, so people tend to simply ignore them. You can load this file into most video players to display subtitles in the chosen language synced to the video. Check Point says that there are roughly 200 million installations of video players vulnerable to this exploit including VLC, Kodi, Popcorn-Time, and Stream.io.

This attack relies upon the insecure way many video players process subtitle files. There are more than two dozen subtitle file formats, so most media players capable of opening them are designed to process anything that claims to be a subtitle file. In this case, the hackers have hidden a remote access tool in the subtitle files. After it is opened by the media player, the attacker gets full control over the target machine. They can see the screen, control the mouse, and run arbitrary code. The hackers could even install ransomware on the machine if they wanted. See below for a demo from Check Point of the malware taking over a machine mere seconds after a subtitle file is loaded.

Currently, you need to pirate something to end up with one of the malicious subtitle files. Check Point also notes there are online repositories of subtitles like OpenSubtitles.org that could be used by hackers to get their malicious code on machines as users manually search for and open subtitles. Many media players also reach out to these sites to grab subtitles automatically, which could be a problem if hackers can get their exploits ranked highly.

VLC and Stream.io have both released updated clients that are not vulnerable to the attack. Kodi has a fix in the works, but it’s only available as a source code download right now. Popcorn-Time is patched, but the new version is still being rolled out to download servers. It’s a good idea to update even if you don’t torrent or download subtitle files.